Skip to Content
Technical Articles
Author's profile photo Jamie Cawley

Accessing the built-in observability tools of Kyma runtime

Included with Kyma is the tool Grafana which provides a centralized view of the logs and a number of dashboards to view various metrics of workloads running in the Kyma runtime. For more information you can find a nice overview of Grafana by Gaurav Abbi.

The latest release of Kyma now utilizes SAP Identity Authentication Service IAS for authentication and Kubernetes Role Based Access Control (RBAC) to manage authorizations within the runtime. Kubernetes provides a number of resources, such as deployments, config maps, etc, that users interact with via the Kubernetes API. The API itself can also be extended to provide additional functionality, this is how Kyma API Rules are provided. RBAC provides a mechanism to control the access of the resources of the Kubernetes API by providing verbs, read, create delete, that control user access to these resources.

Unfortunately Grafana is not part of or an extension of the Kuberenetes API, so it does not support the RBAC methodology.  For this reason Grafana by default is not exposed externally, but there are a few options to do so. Most effortlessly, after setting up kubectl, you can use the port-forward feature of kubectl to access Grafana locally. You also have the option to configure your own custom SAP IAS tenant to manage the access using the provided Oauth2 Proxy. You can find the configuration steps for both of these methods within the help documentation. The Oauth2 Proxy also supports a number of other providers, such as Github, which can be used to manage access. The next sections will walk through this procedure.

GITHUB OAUTH

Start by creating a new OAuth Application and providing the values. You can find the cluster domain URL of your Kyma runtime on the main dashboard, listed under API Server Address, replace api with Grafana.

  • Application Name: Grafana

  • Homepage URL: https://grafana.<your cluster domain>.kyma.ondemand.com

  • Authorization callback URL: https://grafana.<your cluster domain>.kyma.ondemand.com/oauth2/callback

  • Choose Register application

 

On the next screen choose the option to generate a new client secret

 

 

Copy both the Client ID and the Client secret. These values will be used in the next steps.

Configuration of the Oauth2 Proxy

The configuration of the Oauth2 proxy is accomplished by creating a Kubernetes secret which is read by the proxy once it is restarted. There are a number of different configuration parameters of the provider to adjust how it works. Please note that a parameter listed as –github-user will be assigned within the secret as OAUTH2_PROXY_GITHUB_USER. Using the script below, replace the client Id and secret from the github application and your github email address. Multiple email addresses can be added by comma separating them. The secret could also be created within the dashboard, by choosing the namespace kyma-system and choosing the menu option Configuration -> Secrets and using the option to Create Secret.

 

kubectl -n kyma-system create secret generic monitoring-auth-proxy-grafana-user \
	--from-literal="OAUTH2_PROXY_CLIENT_ID=<your client id>" \
	--from-literal="OAUTH2_PROXY_CLIENT_SECRET=<your client secret>" \
	--from-literal="OAUTH2_PROXY_PROVIDER=github" \
	--from-literal="OAUTH2_PROXY_GITHUB_USER=<your email address>" \
	--from-literal="OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true"

 

After the secret has been applied restart the Oauth2 proxy pod by running

kubectl -n kyma-system rollout restart deployment monitoring-auth-proxy-grafana

 

After the pod has restarted choosing the link to Grafana within the Kyma dashboard under the Observability menu option, should now prompt you requesting authorization. After choosing Authorize you should now be redirected to Grafana.

 

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ian Jiang
      Ian Jiang

      Hi Jamie,

      Thanks for your blog. It helps me a lot. I got a question, how can I prevent all github user to access my Grafana dashboard on BTP kyma runtime?

      I thought "OAUTH2_PROXY_GITHUB_USER" as a white list who got the permission to access the Grafana. However, I forward the Grafana address to my colleague who is not in OAUTH2_PROXY_GITHUB_USER. Then he can directly access the Grafana dashboard with his github account.

      Thanks,

      Ian

      Author's profile photo Jamie Cawley
      Jamie Cawley
      Blog Post Author

      Did you try assigning the value OAUTH2_PROXY_GITHUB_USER

      There's also values for the org, team and repo that could be used which is shown in the linked provider documentation.

      Regards,

      Jamie

      Author's profile photo Luiz Gomes
      Luiz Gomes

      Hi Jamie,

      Thanks for your blog. It helps me a lot. I got a question, How would I authenticate in grafana using BTP itself. In this guide https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/3e4299cfd0884c428e6b4774225638e8.html a prerequisite is IAS. But I don't have IAS and it's not possible to configure it. Is it possible to configure it in another way but using SAP technologies, apart from IAS?

      Author's profile photo Jamie Cawley
      Jamie Cawley
      Blog Post Author

      Hi Luiz,

      For BTP using IAS would be ideal. It's possible that you could create an XSUAA instance and use it, but when I tried I could not figure out how to get it to be restrictive.

      Regards,

      Jamie

      Author's profile photo Luiz Gomes
      Luiz Gomes

      Hi Jamie

      With xsuaa seems to be more interesting, could you share how you did it? Have you tried using BTP roles to restrict access?

       

      Regards,

       

      Luiz

      Author's profile photo Jamie Cawley
      Jamie Cawley
      Blog Post Author

      Create an instance specifying the oauth2-configuration.redirect-uris to your grafana url and then configure grafana with the values of the instance.

      OAUTH2_PROXY_CLIENT_ID: ***
      OAUTH2_PROXY_CLIENT_SECRET: ***
      OAUTH2_PROXY_EMAIL_DOMAINS: your email domain
      OAUTH2_PROXY_OIDC_ISSUER_URL: https://****.hana.ondemand.com/oauth/token
      OAUTH2_PROXY_PROVIDER: oidc
      OAUTH2_PROXY_SCOPE: openid
      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true
      Regards,
      Jamie
      Author's profile photo Luiz Gomes
      Luiz Gomes

      It worked, now just find out 02 things:
      01 - why I don't have authorization to favorite the dashboards.
      02 - why SAP didn't make this setting by default.

      Thank you very much for now

      Regards,

      Luiz